Thursday, 26 November 2015

OAM - allowedaccessgatelist user defined parameter

Ever wondered what this "allowedaccessgatelist" parameter does or why it is their ....... Let's understand it.....

  

First of all what does Oracle doc tell you about this paramtere;

allowedAccessGateList= Authentication Scheme challenge parameter configured with SPACE separated list of WebGate IDs defining those WebGates that are allowed to enforce authentication by this scheme. 
For example:
allowedAccessGateList=WebgateID1 WebgateID2


Where to configure it & how?

This parameter is applicable for Authn Scheme configured as user defined parameter. 
  •  for 11g -> allowedAccessGateList=WebgateID1 WebgateID2
  • for 10g -> allowedAccessGateList:WebgateID1 WebgateID2
 The only difference is that '=' is used in 11g while ':' is used in 10g

What does it do if configured?

It ensures that the no other webgate profile can use the authn scheme other than configured in this parameter.
Like;
allowedAccessGateList=WebgateID1 WebgateID2

If while accessing the resource it is found that the webgate id profile mismatches with the one configured, what will happen?

User will not be able to access the resource even if the provided creds are correct.

Demo:  

ECC & DCC : Call flow with allowedAccessGateList parameter defined in authn scheme;



Configuration Steps:

  •  Open /oamconsole

  •  I have created an auth scheme that i will use for ECC

  •  In user defined parameter define the allowedAccessGateList parameter with its value.

  •  I have already created DCC Authn Scheme that i will with for RWG protected resources.


  •  Goto ur ECC & RWG Profile in Application Domain;

  •  Assign the respective Authn Scheme in the Protected Resource Policy;


In the shown configuration, i have configured corrected webgate id in the allowedAccessGateList parameter; 
In case their is a mismatch following errors are shown by ECC & RWG webgate when protected resource is accessed:

ECC:


 

RWG:




Hope it clears the funda.... !!!!

Enjoy :-)

Wednesday, 4 November 2015

OAM Webgate DCC NAP TUNNELING

Enabling DCC NAP TUNNELING:

NOTE: DCC as a Resource Webgate doesn't support NAP Tunneling, which means if you want to access a resource protected by DCC itself than in that case NAP TUNNELING is not supported.
You have to have a separate resource webgate which is DCC Protected & in DCC webgate you have enabled nap tunneling.

  • Supported Case:



  • Non-Supported Case:


Prerequisites:

  • 2 profiles has already been created i.e.
    • One for resource webgate.
    • Other one for DCC Webgate
  • If possible do test whether you are able to access a resource protected by DCC. So that we are sure that things are working in DCC Mode & we just need to test NAP Tunneling via DCC.
Note: I will be demonstrating Login Page NAP Tunneling Via DCC Webgate.

Let's Start:


1) Make sure the parameter "DirectAuthenticationServiceDescriptor" is set to true in oam-config.xml file.



2) Create an authentication scheme, that will be used to protect the resources on Resource Webgate.


3) Now update the authentication scheme, in the protected resource policy of the resource webgate profile;


Note: This policy scheme needs to be updated for RESOURCE WEBGATE PROFILE not for DCC WEBGATE PROFILE


4) Once done, now we need to update DCC WEBGATE PROFILE:
  • Update the user defined parameter; add the tunneled url information, i.e. which url you want to tunnel.


Note: here i have tunneled '/oam' url, thus any request landing on dcc webgate having /oam in the url will be tunneled to oam server.

  • Now we need to create a new resource in dcc webgate profile; goto the launch pad -> Application domain -> <DCC WEBGATE PROFILE> -> Resources -> Create new resource.
    • This new resource name should be the one that you have added in the tunneled url above.
    • And this resource should use PUBLIC RESOURCE POLICY.
    • Keep one thing in mind, if you have tunneled 2 urls, like /oam,/oamfed than 2 resources should be created.


Note:
  • In the above step you can see we have added a resource '/oam/**' as a public resource which means, any url which has /oam, will be treated as public resource by DCC WEBGATE PROFILE.
  • Also, you can see i have added 3 more resources i.e. for the DCC WEBGATE itself. It has nothing to do with the NAP TUNNELING. You can skip this as well.

Demo:
1) Say you access a resource /index.html, that is protected by DCC & in DCC NAP TUNNELING is enabled;
2) DCC Webgate need to show the OAM server login page rather than its own, thats what we intent to see in this demo.

resource webgate: abc.com
dcc webgate - xyx.com








So we are able to tunnel the login page, & thus DCC shows the oam server login page instead of the one that is present on DCC itself.
But it doesn't mean that credential collection will be done by OAM SERVER.... no no no....
It is just that DCC has shown the login page of oam server that it has received via NAP tunnel. Rest all functionality remains the same.



Enjoy :-)